SIGNIFICANT DECISIONS OF DATA PROTECTION BOARD ON DIFFERENT TOPICS

The Data Protection Board (“Board”) has announced 3 (three) important decisions at its web site on 17 July 2019 regarding different sectors and topics. Please kindly pay special attention to the third decision regarding “Gmail” mentioned below. You may find below a summary of the decisions:

The summary of the Board decisions, dated 25.03.2019 and numbered 2019/81 and dated 31.05.2019 and numbered 2019/165 regarding the gym service providers which are compelling palm scanning for the entrance, have been published on 17.07.2019.

The Board stated that processing of the palm scanning, which is a type of biometric data, can only be made with the explicit consent of the related person. Although the explicit consent shall be given without forcing, this consent is stated as a requirement in the service contracts and such consent cannot be interpreted as an explicit one. In addition, although there are alternative ways such as check-lists, tags or magnetic cards, using a biometric data cannot comply with the principle of “being related, limited and temperate with the data processing purposes” and an administrative fine has imposed to the data controller.

The Board has decided to cease processing data urgently, to destroy the data processed already and to notify thereof regarding the transactions to destroy the data if it is transferred to a third person.

The summary of the Board’s decision, dated 31.05.2019 and numbered 2019/162 regarding an electronical commercial message sent by a data controller without explicit consent of the person, has been published on 17.07.2019.

It is observed that following the delivery of a text message for commercial purposes to the phone number of the person, the person requested information on how and where the personal data was acquired and why the data had been used without explicit consent, following not receiving an answer, the person applied to the Board. In the examination of the Board, it has been resolved that the activity subject to the application is a data processing activity in terms of data protection legislation and sending of the message is not based on any criteria of the data processing, therefore, an administrative fine of TRY 50.000 imposed to the data controller for not taking the measures for preventing unlawful processing of personal data.

The summary of the Board’s decision, dated 31.05.2019 and numbered 2019/157 regarding the application on whether the institutional e-mail service can be used with the same mail extension through Google Gmail, has been published on 17.07.2019.

The opinion of the Board has been requested by data controller that whether the e-mail addresses created via Zimbra, which is an e-mail server providing free institutional e-mail services, can be used with the same mail extension through Google Gmail. It has been decided by the Board that in case the platform of the Gmail e-mail service is used, the e-mails sent and received will be held on the data centers in several places all around the world and this constitutes a transfer of personal data to abroad. The data controllers must carry out the aforementioned transactions in accordance with the provisions of transfer of personal data to abroad.

Having said that, there are questions as to whether the decision is realistic or not in this connected world where almost all companies are using cloud solutions. We are raising this question because under Turkey’s current applicable data protection regime, to transfer personal data abroad, the data controller should obtain explicit consent of the data owner. In the event of non-existence of explicit consent, personal data can be transferred to countries stated in secure country list to be announced by the Board or an undertaking should be signed by and between the data transferor and data transferee, which should be approved by the Board afterwards. Since the Board has not announced the secure county list yet and it is complicated to proceed with undertaking method, the recent regime obliges the data controllers to obtain explicit consent from the data owners. This causes hesitations in the data controller company, due to the possibility of rejection and/or revocation of explicit consent by the data owners.

Considering the above, it seems that the companies in Turkey that use outsourced e-mail hosting services may face difficulties in the future and we believe that to ease this period, the Board must publish the list of countries that provide adequate protection as soon as possible.

You may find detailed information about the decisions under the Board’s official web site (www.kvkk.gov.tr).

Please let us know if you have any queries.